Security is always a topic worth discussing… Patient Portals are a big issue and we need to discuss models that are NOT browse directly into the data models …
True Health Diagnostics, a Frisco, TX-based healthcare services company recently became aware of a security flaw in their patient portal after an IT consultant logged in to view their test results and accessed other patient’s records by accident. Upon investigating the issue it was determined that because True Health uses sequential numbers on their patient record PDF files, users of the patient portal could easily alter a digit in the URL and therefore view the medical information of other patients (also known as Forceful Browsing)._
We need to move forward with API (like FHIR) based solutions for access to patient data via apps, not portals.
Yeah, that is a file you supposed to remove after setup.
Wouldn’t call this really “The Press” though…it’s someone’s mostly
contextually irrelevant blog post. Where and how they would possibly
come up with a “90 million patients” number clues me into the fact that
it is not exactly a…a peer-reviewable paper…
Plus the “fix” is to simply delete the setup.php file after the setup is completed, as instructed.
We have a more elegant solution in the works, but it’s not a real vulnerability, its a security service using OpenEMR to advertise himself since he can’t do this kind of work on a proprietary product. The community typically benefits from this kind of transparency.